CVE-2023-40931: 
Nagios XI vulnerability analysis and mitigation

A SQL injection vulnerability was discovered in Nagios XI versions 5.11.0 through 5.11.1. The vulnerability allows authenticated attackers to execute arbitrary SQL commands via the ID parameter in the POST request to /nagiosxi/admin/banner_message-ajaxhelper.php. The issue was discovered by Outpost24 Ghost Labs Vulnerability Research and was patched on September 11, 2023, with the release of version 5.11.2 (Outpost24 Blog, Hacker News).

The vulnerability exists in the Announcement Banners feature of Nagios XI. When a user acknowledges a banner, a POST request is sent to the affected endpoint with POST data containing an action and message ID. The ID parameter is processed without proper sanitization, allowing SQL injection attacks. The vulnerability has a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD, Outpost24 Blog).

Successful exploitation allows authenticated attackers with low or no privileges to retrieve sensitive data from the database, including information from xisession and xiusers tables. The exposed data may include emails, usernames, hashed passwords, API tokens, and backend tickets. The vulnerability does not require the existence of a valid announcement banner ID, meaning it can be exploited by an attacker at any time (Outpost24 Blog).

Users are advised to upgrade to Nagios XI version 5.11.2 or later, which contains the security fix for this vulnerability. The patch was released on September 11, 2023 (Outpost24 Blog, Hacker News).